EP3432523B1 - Procédé et système pour connecter un terminal a un réseau privé virtuel - Google Patents
Procédé et système pour connecter un terminal a un réseau privé virtuel Download PDFInfo
- Publication number
- EP3432523B1 EP3432523B1 EP17785379.3A EP17785379A EP3432523B1 EP 3432523 B1 EP3432523 B1 EP 3432523B1 EP 17785379 A EP17785379 A EP 17785379A EP 3432523 B1 EP3432523 B1 EP 3432523B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- terminal
- vpn
- session
- gateway
- control device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims description 53
- 238000010586 diagram Methods 0.000 description 19
- 230000006870 function Effects 0.000 description 10
- 230000011664 signaling Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000005538 encapsulation Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000001419 dependent effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
Definitions
- This application relates to the field of communications technologies, and in particular, to a method and a system used by a terminal to connect to a virtual private network (VPN), and a related device.
- VPN virtual private network
- IP camera (IPC) terminals are widespread.
- IP Internet Protocol
- IPC terminals To prevent a video stream transmitted by an IPC terminal to a network from being maliciously monitored, and to prevent control signaling transmitted by the network to the IPC terminal from being maliciously tampered with in a transmission process, a Secure Sockets Layer (SSL) VPN technology is applied to the IPC terminal, so that the video stream and the control signaling are encrypted to be transmitted between the IPC terminal and the network.
- SSL Secure Sockets Layer
- the SSL VPN technology means that a remote user is connected to an SSL VPN server by using a web browser.
- a data packet transmitted between the remote user and the SSL VPN server is encrypted by using the SSL protocol or the Transport Layer Security (TLS) protocol (a successor of the SSL protocol).
- TLS Transport Layer Security
- Both the SSL protocol and the TLS protocol are referred to as "SSL” or the “SSL protocol” below.
- a security connection client is disposed in an IPC terminal in advance.
- An IP address of a VPN gateway is preconfigured in the IPC terminal.
- the security connection client initiates authentication. After the authentication succeeds, an SSL session is established between the IPC terminal and the VPN gateway.
- a data stream (for example, a video stream) and a signaling stream may be encrypted by using the SSL session for transmission.
- An outdoor IPC terminal is unattended, and therefore there is a terminal security problem. After the IPC terminal is maliciously operated, malicious data transmitted to the network is difficult to be found because of encryption protection by a VPN. Therefore, to ensure a secure connection of the IPC to the network, a VPN gateway cannot be deployed around a core network, and the VPN gateway is usually deployed on a router gateway.
- the VPN gateway is deployed on the router gateway in a bypass mode.
- the "bypass mode" means that the VPN gateway is directly connected to the router gateway by using a network cable, and the VPN gateway and the router gateway form an independent subnet.
- the VPN gateway is responsible for access authentication and SSL session establishment of an IPC terminal in an area managed by the VPN gateway, and forwarding a data stream and a signaling stream to a video private network.
- the video private network is an upper-layer network that includes the router gateway, a video surveillance device, and the like. Different VPN gateways have different IP addresses, and different VPN gateways are responsible for managing different areas.
- the IPC terminal is not allowed to connect to the network and establish an SSL session without permission of the VPN gateway.
- the IPC terminal needs to cooperate with a VPN gateway that manages an area in which the IPC terminal is located for normal use.
- An IP address that is of a VPN gateway and that is configured for the IPC terminal can be only an IP address of a VPN gateway that manages an area in which the IPC terminal is located.
- US2016/087941 discloses techniques for providing services to multiple tenants via a shared end-point.
- This application provides a method and a system used by a terminal to connect to a virtual private network, and a related device, so as to resolve a problem that workload is heavy and an error is easy to occur currently during configuration of an IP address of a VPN gateway for a terminal.
- FIG. 1 shows a system architecture in which a terminal is connected to a VPN.
- the system architecture mainly includes a terminal 101, a VPN gateway 102, a router gateway 103, a VPN control device 104, and an authentication server 105. Details are as follows:
- the terminal 101 may be a terminal that supports an IP protocol stack, such as an IPC. Client software is installed on the terminal 101.
- the terminal initiates authentication.
- the terminal may be, for example, a mobile phone, a personal computer (such as a notebook computer or a desktop computer), a printer, an IP phone, or a projector.
- the VPN gateway 102 is configured to establish an SSL session with the terminal.
- the VPN gateway 102 performs tunnel encapsulation on a service stream and a signaling flow that are sent by using the SSL session, decapsulates a service stream and a signaling flow that are received by using the SSL session, and forwards the service stream to a next hop.
- the router gateway 103 is disposed between a layer-2 network device and a layer-3 network device, and is configured to perform layer-2 access and layer-2 forwarding with the layer-2 network device.
- the layer-3 network device is connected to the VPN gateway and the VPN control device, and the router gateway 103 performs routing and forwarding with the layer-3 network device.
- the VPN control device 104 is an authenticator of all terminals 101 in a system, and communicates with the authentication server 105 to complete authentication on the terminals.
- the VPN control device 104 sends an authentication result and an address of the VPN gateway to the terminal 101.
- the VPN control device 104 sends, to the VPN gateway 102, an identifier of a terminal 101 that is authenticated.
- the authentication server 105 is configured to attempt to authenticate the terminal 101.
- the VPN control device is a gateway device that works independently, or a function of the VPN control device is completed by multiple gateway devices by means of cooperation.
- the VPN gateway is a gateway device that works independently, or a function of the VPN gateway is completed by multiple gateway devices by means of cooperation.
- the system may further include a video surveillance device 106.
- the video surveillance device 106 is configured to send signaling to the terminal 101 in an area managed by the VPN gateway 102.
- the video surveillance device 106 may display a video sent by the terminal 101.
- the video surveillance device 106 may store a video sent by the terminal 101.
- the VPN control device and the authentication server may be integrated into one device.
- FIG. 2 shows a specific process in which a terminal is connected to a VPN. Details are as follows: Step 201: A VPN control device receives a first handshake message sent by a router gateway, where the first handshake message is sent by the router gateway after the router gateway receives a second handshake message sent by a terminal, and the second handshake message is used to initiate a negotiation process of a first SSL session to the VPN control device.
- IP addresses of all VPN gateways in a system are configured in the VPN control device.
- a direct route entry is configured in the router gateway.
- the direct route entry includes a subnet prefix of a VPN gateway that is located on the router gateway in a bypass mode, or the direct route entry includes a subnet prefix and a mask that are of a VPN gateway that is located on the router gateway in a bypass mode.
- the "bypass mode" means that the router gateway is connected to the VPN gateway by using a network cable. The router gateway and the VPN gateway in a bypass mode belong to a same subnet.
- the IP addresses of all the VPN gateways in the system, or masks and the IP addresses of all the VPN gateways in the system are configured in the VPN control device.
- the IP addresses that are of all the VPN gateways and that are configured in the VPN control device are different from each other, and subnet prefixes of all the VPN gateways are different from each other, so as to ensure global uniqueness of the VPN gateways.
- the router gateway After receiving the second handshake message from the terminal, and before sending the first handshake message to the VPN control device, the router gateway adds the direct route entry of the router gateway to the second handshake message, so as to obtain the first handshake message.
- Step 202 The VPN control device determines, according to the first handshake message, a session parameter of the first SSL session by negotiating with the terminal, and attempts to authenticate the terminal by using the first SSL session.
- the session parameter of the first SSL session includes a session key, a session identifier, and an encryption algorithm, and the terminal and the VPN control device separately store the session parameter of the first SSL session.
- the VPN control device receives, by using the first SSL session, an authentication message sent by the terminal.
- the authentication message carries the session identifier and authentication data, and the authentication data is obtained by encrypting an identifier of the terminal by using the encryption algorithm and the session key.
- the VPN control device obtains the session identifier and the authentication data that are carried in the authentication message. After determining that the VPN control device stores the session identifier, the VPN control device decrypts the authentication data by using the session key and the encryption algorithm, to obtain the identifier of the terminal, and sends the identifier of the terminal to an authentication server.
- the VPN control device determines that authentication on the terminal succeeds. If receiving an authentication failure message returned by the authentication server, the VPN control device determines that authentication on the terminal fails.
- the VPN control device tears down the first SSL session.
- Step 203 After the terminal is authenticated, the VPN control device determines an IP address of a first VPN gateway to which the terminal is allowed to connect.
- the VPN control device determines, according to the direct route entry of the router gateway that sends the first handshake message, the first VPN gateway to which the terminal is allowed to connect.
- the terminal initiates the negotiation process of the first SSL session to the VPN control device according to the configured IP address of the VPN control device. That is, the terminal sends the second handshake message, that is, a ClientHello message by using the IP address of the VPN control device as a destination address.
- the router gateway receives the ClientHello message sent by the terminal, and adds the direct route entry of the router gateway to an unoccupied extension option of the ClientHello message, so as to obtain the first handshake message.
- FIG. 3 shows a structure of the extension option of the ClientHello message, and an option field corresponding to a type 60 carries the direct route entry of the router gateway.
- An extension type of the extension option of the ClientHello message may be any unused value in a range from 36 to 65280.
- FIG. 4 shows a process in which the VPN control device determines the IP address of the first VPN gateway.
- the VPN control device obtains, from a list of the configured IP addresses of all the VPN gateways in the system, an IP address of a VPN gateway that belongs to the subnet prefix, of the VPN gateway, included in the direct route entry carried in the first handshake message, and determines the obtained IP address of the VPN gateway as the IP address of the first VPN gateway. If more than one IP address of VPN gateways that belongs to the subnet prefix, of the VPN gateway, included in the direct route entry carried in the first handshake message is obtained, one IP address is randomly selected from the obtained eligible IP addresses as the IP address of the first VPN gateway.
- the IP address of the first VPN gateway is determined in the following steps.
- Step a The VPN control device obtains a subnet prefix M and a mask N that are of a VPN gateway and that are in the direct route entry carried in the first handshake message, and performs an AND operation on the subnet prefix M and the mask N that are of the VPN gateway to obtain X.
- Step b For an IP address A that is of a VPN gateway and that is configured in the VPN control device and a mask B corresponding to the IP address A, perform an AND operation on the IP address A and the mask B to obtain Y.
- Step c Determine whether X is equal to Y, and if X is equal to Y, determine that the IP address A is the IP address of the first VPN gateway; or if X is not equal to Y, obtain an IP address that is of a next VPN gateway and that is configured in the VPN control device and a corresponding mask, and repeatedly perform step b and step c until the list of the IP addresses that are of all the VPN gateways in the system and that are configured in the VPN control device is traversed.
- the VPN control device searches the list of the IP addresses of all the VPN gateways in the system according to the direct route entry. For example, if each entry in the direct route entry represents a subnet prefix of a VPN gateway, the subnet prefix of the VPN gateway is used to search the list of the IP addresses of all the VPN gateways in the system, and an IP address of a VPN gateway that belongs to the subnet prefix of the VPN gateway is determined as the IP address of the first VPN gateway to which the terminal needs to connect.
- Step 204 The VPN control device notifies the terminal of the IP address of the first VPN gateway.
- the VPN control device notifies the first VPN gateway of an IP address of the terminal and the session parameter of the first SSL session, and the first VPN gateway stores the IP address of the terminal and the session parameter of the first SSL session.
- the terminal and the first VPN gateway reuse the session parameter of the first SSL session to establish a second SSL session.
- a process in which the terminal establishes the second SSL session with the first VPN gateway is as follows: The terminal encrypts the IP address of the terminal by using the session key and the encryption algorithm of the first SSL session, to generate a ciphertext, and adds the session identifier of the first SSL session and the ciphertext to a third handshake message, and sends the third handshake message to the first VPN gateway.
- the third handshake message is used to initiate a negotiation process of the second SSL session to the first VPN gateway.
- the third handshake message is a ClientHello message.
- a ciphertext A is generated by encrypting the IP address of the terminal by using the session key and the encryption algorithm, and the ciphertext A is carried to an extension option of the ClientHello message.
- a type of the extension option of the ClientHello message may be any unused value in a range from 36 to 65280, and a type 61 represents that an option field of the extension option carries the ciphertext A.
- the first VPN gateway receives the third handshake message, and obtains the session identifier and the ciphertext that are carried in the third handshake message. If determining that the first VPN gateway locally stores the session identifier, and that a result obtained by decrypting the ciphertext by using the locally stored session key and encryption algorithm is the IP address of the terminal, the first VPN gateway establishes the second SSL session with the terminal, and uses the session parameter of the first SSL session as a session parameter of the second SSL session.
- FIG. 5 shows a process in which the first VPN gateway establishes the second SSL session with the terminal according to the session identifier and the ciphertext that is carried in the third handshake message. Details are as follows: The first VPN gateway locally stores the IP address of the terminal that is allowed to connect to the first VPN gateway, and stores the session identifier, the session key, and the encryption algorithm of the first SSL session. The first VPN gateway parses the ClientHello message sent by the terminal, to obtain the session identifier carried in the ClientHello message, and extracts the ciphertext A according to the extension option 61 of the ClientHello message. The first VPN gateway determines whether the session identifier carried in the ClientHello message is the same as the locally cached session identifier.
- the first VPN gateway refuses to establish the second SSL session. If the session identifier carried in the ClientHello message is the same as the locally cached session identifier, the first VPN gateway decrypts the ciphertext A by using the locally stored encryption algorithm and session key of the first SSL session, so as to obtain a value X. The first VPN gateway determines whether the value X is the same as an IP address of a terminal that initiates a request. If the value X is different from the IP address of the terminal that initiates the request, the first VPN gateway refuses to establish the second SSL session.
- the first VPN gateway further determines whether the IP address of the terminal that initiates the request is the locally stored IP address of the terminal that is allowed to connect to the first VPN gateway. If the IP address of the terminal that initiates the request is not the locally stored IP address of the terminal that is allowed to connect to the first VPN gateway, the first VPN gateway refuses to establish the second SSL session; or if the IP address of the terminal that initiates the request is the locally stored IP address of the terminal that is allowed to connect to the first VPN gateway, the first VPN gateway successfully establishes the second SSL session with the terminal, and reuses the session identifier, the session key, and the encryption algorithm of the first SSL session.
- the following uses a specific embodiment to describe in detail a process of attempting to authenticate terminal access and establishing an SSL session used for service stream transmission.
- FIG. 6 is a schematic diagram of functional logic of terminal access authentication and SSL session establishment according to the specific embodiment.
- FIG. 7A , FIG. 7B , and FIG. 7C are a schematic flowchart of a method for terminal access authentication and SSL session establishment according to the specific embodiment.
- FIG. 8A , FIG. 8B , FIG. 8C , and FIG. 8D are a schematic diagram of a working time sequence of terminal access authentication and SSL session establishment according to the specific embodiment.
- the VPN control device mainly includes a processor 901 and a communications interface 902. Specifically, the processor 901 performs the following processes:
- the router gateway includes a processor 1001 and a communications interface 1002.
- the processor 1001 performs the following processes according to the program:
- the terminal includes a processor 1101 and a communications interface 1102. Specifically, the processor 1101 performs the following processes:
- the terminal further includes a video collection module.
- the VPN control device includes:
- functions of the receiving module 1201 and the notification module 1204 may be implemented by the communications interface 902 of the VPN control device, and functions of the authentication module 1202 and the determining module 1203 may be implemented by the processor 901 of the VPN control device.
- the router gateway includes:
- functions of the receiving module 1301 and the sending module 1303 are implemented by the communications interface 1002 of the router gateway, and a function of the processing module 1302 is implemented by the processor 1001 of the router gateway.
- the terminal includes:
- functions of the sending module 1401 and the receiving module 1403 are implemented by the communications interface 1102 of the terminal, and a function of the processing module 1402 is implemented by the processor 1101 of the terminal.
- the embodiments of the present invention may be provided as a method, a system, or a computer program product. Therefore, the present invention may use a form of hardware only embodiments, software only embodiments, or embodiments with a combination of software and hardware. Moreover, the present invention may use a form of a computer program product that is implemented on one or more computer-usable storage media (including but not limited to a disk memory, a CD-ROM, an optical memory, and the like) that include computer-usable program code.
- computer-usable storage media including but not limited to a disk memory, a CD-ROM, an optical memory, and the like
- These computer program instructions may be provided for a general-purpose computer or a processor of any other programmable data processing device to generate a machine, so that the instructions executed by a computer or a processor of any other programmable data processing device generate an apparatus for implementing a specific function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
- These computer program instructions may be loaded onto a computer or another programmable data processing device, so that a series of operations and steps are performed on the computer or the another programmable device, thereby generating computer-implemented processing. Therefore, the instructions executed on the computer or the another programmable device provide steps for implementing a specific function in one or more processes in the flowcharts and/or in one or more blocks in the block diagrams.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Claims (10)
- Procédé utilisé par un terminal pour se connecter à un réseau privé virtuel (VPN), comprenant les étapes consistant à :recevoir (201), par un dispositif de contrôle de VPN, un premier message d'établissement de liaison envoyé par une passerelle de routage, le premier message d'établissement de liaison étant envoyé par la passerelle de routage après la réception, par la passerelle de routage, d'un deuxième message d'établissement de liaison envoyé par un terminal, le deuxième message d'établissement de liaison étant utilisé pour amorcer un processus de négociation d'une première session sur couche de socket sécurisée (SSL) avec le dispositif de contrôle de VPN ;déterminer (202), par le dispositif de contrôle de VPN selon le premier message d'établissement de liaison, un paramètre de session de la première session SSL en négociant avec le terminal, et tenter d'authentifier le terminal au moyen de la première session SSL ;une fois le terminal authentifié, déterminer (203), par le dispositif de contrôle de VPN, une adresse sur protocole Internet (IP) d'une première passerelle VPN à laquelle le terminal est autorisé à se connecter ; etnotifier (204), par le dispositif de contrôle de VPN au terminal, l'adresse IP de la première passerelle VPN, le premier message d'établissement de liaison transportant une entrée de route directe de la passerelle de routage et l'entrée de route directe comprenant un préfixe de sous-réseau d'une passerelle VPN qui est située sur la passerelle de routage dans un mode de contournement ; etla détermination, par le dispositif de contrôle de VPN, d'une adresse IP d'une première passerelle VPN comprenant l'étape consistant à :
obtenir, par le dispositif de contrôle de VPN à partir d'une liste d'adresses IP configurées de toutes les passerelles VPN, une adresse IP d'une passerelle VPN qui appartient au préfixe de sous-réseau, de la passerelle VPN, comprise dans l'entrée de route directe, et déterminer que l'adresse IP obtenue de la passerelle VPN est l'adresse IP de la première passerelle VPN. - Procédé selon la revendication 1, le procédé comprenant en outre l'étape consistant à :
notifier, par le dispositif de contrôle de VPN à la première passerelle VPN, une adresse IP du terminal et le paramètre de session de la première session SSL, la première passerelle VPN stockant l'adresse IP du terminal et le paramètre de session de la première session SSL, et le paramètre de session comprenant une clé de session, un identifiant de session et un algorithme de cryptage. - Procédé selon l'une quelconque des revendications 1 et 2, le procédé comprenant en outre l'étape consistant à :
envoyer, par le terminal, un troisième message d'établissement de liaison à la première passerelle VPN, le troisième message d'établissement de liaison étant utilisé pour amorcer un processus de négociation d'une seconde session SSL avec la première passerelle VPN, le troisième message d'établissement de liaison transportant l'identifiant de session et un texte chiffré, et le texte chiffré étant généré en cryptant l'adresse IP du terminal au moyen de la clé de session et de l'algorithme de cryptage. - Procédé selon l'une quelconque des revendications 1 à 3, dans lequel la tentative d'authentification, par le dispositif de contrôle de VPN, du terminal au moyen de la première session SSL comprend les étapes consistant à :recevoir, par le dispositif de contrôle de VPN au moyen de la première session SSL, un message d'authentification envoyé par le terminal, le message d'authentification transportant l'identifiant de session et des données d'authentification, et les données d'authentification étant obtenues en cryptant un identifiant du terminal au moyen de l'algorithme de cryptage et de la clé de session ;analyser, par le dispositif de contrôle de VPN, le message d'authentification afin d'obtenir l'identifiant de session et les données d'authentification qui sont transportés dans le message d'authentification ; après la détermination du fait que le dispositif de contrôle de VPN stocke l'identifiant de session, décrypter les données d'authentification au moyen de la clé de session et de l'algorithme de cryptage afin d'obtenir l'identifiant du terminal ; et envoyer l'identifiant du terminal à un serveur d'authentification ; eten cas de réception d'un message de succès d'authentification renvoyé par le serveur d'authentification, déterminer, par le dispositif de contrôle de VPN, qu'un accès du terminal est autorisé, le message de succès d'authentification étant renvoyé par le serveur d'authentification une fois que le serveur d'authentification détermine que l'identifiant du terminal existe ; ou en cas de réception d'un message d'échec d'authentification renvoyé par le serveur d'authentification, déterminer, par le dispositif de contrôle de VPN, qu'un accès du terminal n'est pas autorisé.
- Système utilisé par un terminal pour se connecter à un réseau privé virtuel (VPN), comprenant :un terminal (101), configuré pour envoyer un deuxième message d'établissement de liaison à une passerelle de routage (103), le deuxième message d'établissement de liaison étant utilisé pour amorcer un processus de négociation d'une première session sur couche de socket sécurisée (SSL) avec un dispositif de contrôle de VPN (104) ;la passerelle de routage, configurée pour envoyer un premier message d'établissement de liaison au dispositif de contrôle de VPN après la réception du deuxième message d'établissement de liaison envoyé par le terminal ; etle dispositif de contrôle de VPN, configuré pour recevoir le premier message d'établissement de liaison envoyé par la passerelle de routage, déterminer, selon le premier message d'établissement de liaison, un paramètre de session de la première session SSL en négociant avec le terminal, et tenter d'authentifier le terminal au moyen de la première session SSL ; une fois le terminal authentifié, déterminer une adresse sur protocole Internet (IP) d'une première passerelle VPN à laquelle le terminal est autorisé à se connecter ; et notifier au terminal l'adresse IP de la première passerelle VPN, la passerelle de routage étant spécifiquement configurée pour :ajouter une entrée de route directe au deuxième message d'établissement de liaison afin d'obtenir le premier message d'établissement de liaison, l'entrée de route directe comprenant un préfixe de sous-réseau d'une passerelle VPN qui est située sur la passerelle de routage dans un mode de contournement ; etle dispositif de contrôle de VPN étant spécifiquement configuré pour :
obtenir, à partir d'une liste d'adresses IP configurées de toutes les passerelles VPN, une adresse IP d'une passerelle VPN qui appartient au préfixe de sous-réseau, de la passerelle VPN, comprise dans l'entrée de route directe, et déterminer que l'adresse IP obtenue de la passerelle VPN est l'adresse IP de la première passerelle VPN. - Système selon la revendication 5, dans lequel le dispositif de contrôle de VPN est en outre configuré pour :notifier à la première passerelle VPN une adresse IP du terminal et le paramètre de session de la première session SSL ; etla première passerelle VPN est spécifiquement configurée pour :
stocker l'adresse IP du terminal et le paramètre de session de la première session SSL, le paramètre de session comprenant une clé de session, un identifiant de session et un algorithme de cryptage. - Système selon l'une quelconque des revendications 5 et 6, dans lequel le terminal est en outre configuré pour :
envoyer un troisième message d'établissement de liaison à la première passerelle VPN, le troisième message d'établissement de liaison étant utilisé pour amorcer un processus de négociation d'une seconde session SSL avec la première passerelle VPN, le troisième message d'établissement de liaison transportant l'identifiant de session et un texte chiffré, et le texte chiffré étant généré en cryptant l'adresse IP du terminal au moyen de la clé de session et de l'algorithme de cryptage. - Système selon l'une quelconque des revendications 5 à 7, dans lequel le terminal est spécifiquement configuré pour :
envoyer un message d'authentification au dispositif de contrôle de VPN au moyen de la première session SSL, le message d'authentification transportant l'identifiant de session et des données d'authentification, et les données d'authentification étant obtenues en cryptant un identifiant du terminal au moyen de l'algorithme de cryptage et de la clé de session ; le dispositif de contrôle de VPN étant spécifiquement configuré pour :recevoir, au moyen de la première session SSL, le message d'authentification envoyé par le terminal ; analyser le message d'authentification afin d'obtenir l'identifiant de session et les données d'authentification qui sont transportés dans le message d'authentification ; après la détermination du fait que le dispositif de contrôle de VPN stocke l'identifiant de session, décrypter les données d'authentification au moyen de la clé de session et de l'algorithme de cryptage afin d'obtenir l'identifiant du terminal ;et envoyer l'identifiant du terminal à un serveur d'authentification ;le serveur d'authentification étant spécifiquement configuré pour :recevoir l'identifiant du terminal envoyé par le dispositif de contrôle de VPN, et s'il est déterminé que le serveur d'authentification stocke l'identifiant du terminal, renvoyer un message de succès d'authentification au dispositif de contrôle de VPN ;ou s'il est déterminé que le serveur d'authentification ne stocke pas l'identifiant du terminal, renvoyer un message d'échec d'authentification au dispositif de contrôle de VPN; etle dispositif de contrôle de VPN étant spécifiquement configuré pour :
en cas de réception du message de succès d'authentification renvoyé par le serveur d'authentification, déterminer qu'un accès du terminal est autorisé ; ou en cas de réception du message d'échec d'authentification renvoyé par le serveur d'authentification, déterminer qu'un accès du terminal n'est pas autorisé. - Dispositif de contrôle de réseau privé virtuel (VPN), comprenant :un module de réception (1201), configuré pour recevoir un premier message d'établissement de liaison envoyé par une passerelle de routage, le premier message d'établissement de liaison étant envoyé par la passerelle de routage après la réception, par la passerelle de routage, d'un deuxième message d'établissement de liaison envoyé par un terminal, le deuxième message d'établissement de liaison étant utilisé pour amorcer un processus de négociation d'une première session sur couche de socket sécurisée (SSL) avec le dispositif de contrôle de VPN ;un module d'authentification (1202), configuré pour : déterminer, selon le premier message d'établissement de liaison, un paramètre de session de la première session SSL en négociant avec le terminal, et tenter d'authentifier le terminal au moyen de la première session SSL ;un module de détermination (1203), configuré pour : une fois le terminal authentifié, déterminer une adresse sur protocole Internet (IP) d'une première passerelle VPN à laquelle le terminal est autorisé à se connecter ; etun module de notification (1204), configuré pour notifier au terminal l'adresse IP de la première passerelle VPN, le premier message d'établissement de liaison transportant une entrée de route directe de la passerelle de routage et l'entrée de route directe comprenant un préfixe de sous-réseau d'une passerelle VPN qui est située sur la passerelle de routage dans un mode de contournement ; etle module de détermination étant spécifiquement configuré pour :
obtenir, à partir d'une liste d'adresses IP configurées de toutes les passerelles VPN, une adresse IP d'une passerelle VPN qui appartient au préfixe de sous-réseau, de la passerelle VPN, comprise dans l'entrée de route directe, et déterminer que l'adresse IP obtenue de la passerelle VPN est l'adresse IP de la première passerelle VPN. - Dispositif de contrôle de VPN selon la revendication 9, dans lequel le module de notification est en outre configuré pour :
notifier à la première passerelle VPN une adresse IP du terminal et le paramètre de session de la première session SSL, la première passerelle VPN stockant l'adresse IP du terminal et le paramètre de session de la première session SSL, et le paramètre de session comprenant une clé de session, un identifiant de session et un algorithme de cryptage.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610242556.0A CN107306214B (zh) | 2016-04-18 | 2016-04-18 | 终端连接虚拟专用网的方法、系统及相关设备 |
PCT/CN2017/080310 WO2017181894A1 (fr) | 2016-04-18 | 2017-04-12 | Procédé et système de connexion d'un réseau privé virtuel par un terminal, et dispositif associé |
Publications (3)
Publication Number | Publication Date |
---|---|
EP3432523A1 EP3432523A1 (fr) | 2019-01-23 |
EP3432523A4 EP3432523A4 (fr) | 2019-01-23 |
EP3432523B1 true EP3432523B1 (fr) | 2020-09-09 |
Family
ID=60116556
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP17785379.3A Active EP3432523B1 (fr) | 2016-04-18 | 2017-04-12 | Procédé et système pour connecter un terminal a un réseau privé virtuel |
Country Status (4)
Country | Link |
---|---|
US (1) | US11165604B2 (fr) |
EP (1) | EP3432523B1 (fr) |
CN (1) | CN107306214B (fr) |
WO (1) | WO2017181894A1 (fr) |
Families Citing this family (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10897388B2 (en) | 2017-12-08 | 2021-01-19 | Panasonic Intellectual Property Corporation Of America | Transmitter, receiver, transmission method, and reception method |
CN108123957B (zh) * | 2017-12-29 | 2020-10-13 | 飞天诚信科技股份有限公司 | 一种登录虚拟专用网络服务器的多方式认证的方法及装置 |
CN108880885B (zh) * | 2018-06-19 | 2021-09-21 | 杭州迪普科技股份有限公司 | 一种报文处理方法及装置 |
CN110858834B (zh) * | 2018-08-23 | 2022-02-08 | 中国电信股份有限公司 | 用户信息传输方法、装置、系统和计算机可读存储介质 |
US11190521B2 (en) * | 2019-01-18 | 2021-11-30 | Vmware, Inc. | TLS policy enforcement at a tunnel gateway |
CN110784390B (zh) * | 2019-10-31 | 2021-10-15 | 北京天融信网络安全技术有限公司 | 一种ssl vpn客户端快速分配虚地址的方法、装置及网关 |
US11265301B1 (en) * | 2019-12-09 | 2022-03-01 | Amazon Technologies, Inc. | Distribution of security keys |
US11936522B2 (en) * | 2020-10-14 | 2024-03-19 | Connectify, Inc. | Selecting and operating an optimal virtual private network among multiple virtual private networks |
CN112714053B (zh) * | 2020-12-25 | 2022-09-16 | 北京天融信网络安全技术有限公司 | 通信连接方法及装置 |
CN112769807B (zh) * | 2020-12-31 | 2023-03-24 | 天翼数字生活科技有限公司 | 一种https认证数据处理方法、装置和设备 |
CN112995230B (zh) * | 2021-05-18 | 2021-08-24 | 杭州海康威视数字技术股份有限公司 | 加密数据处理方法、装置和系统 |
US20230185645A1 (en) * | 2021-12-10 | 2023-06-15 | Citrix Systems, Inc. | Intelligent api consumption |
US11647084B1 (en) | 2022-03-04 | 2023-05-09 | Oversec, Uab | Virtual private network connection management with echo packets |
US11558469B1 (en) | 2022-03-04 | 2023-01-17 | Oversec, Uab | Virtual private network connection status detection |
US12113774B2 (en) | 2022-03-04 | 2024-10-08 | Oversec, Uab | Virtual private network resource management |
US11627191B1 (en) | 2022-03-04 | 2023-04-11 | Oversec, Uab | Network connection management |
US11665141B1 (en) * | 2022-03-04 | 2023-05-30 | Oversec, Uab | Virtual private network connection status detection |
US12015672B2 (en) | 2022-03-04 | 2024-06-18 | Oversec, Uab | Network reconnection request handling |
US12015674B2 (en) | 2022-03-04 | 2024-06-18 | Oversec, Uab | Virtual private network connection status detection |
US12021933B2 (en) | 2022-03-04 | 2024-06-25 | Oversec, Uab | Network connection status detection |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6954790B2 (en) * | 2000-12-05 | 2005-10-11 | Interactive People Unplugged Ab | Network-based mobile workgroup system |
US7181360B1 (en) * | 2004-01-30 | 2007-02-20 | Spirent Communications | Methods and systems for generating test plans for communication devices |
TWI310275B (en) * | 2004-10-19 | 2009-05-21 | Nec Corp | Virtual private network gateway device and hosting system |
CN101217575B (zh) * | 2008-01-18 | 2010-07-28 | 杭州华三通信技术有限公司 | 一种在用户终端认证过程中分配ip地址的方法及装置 |
CN101442565A (zh) * | 2008-12-18 | 2009-05-27 | 成都市华为赛门铁克科技有限公司 | 一种固定虚拟网络地址的分配方法和网关 |
CN101715179B (zh) * | 2009-11-06 | 2012-08-22 | 江苏科技大学 | 一种移动ip的安全系统和安全机制建立方法 |
US8549300B1 (en) * | 2010-02-23 | 2013-10-01 | Juniper Networks, Inc. | Virtual single sign-on for certificate-protected resources |
CN101902400A (zh) * | 2010-07-21 | 2010-12-01 | 成都市华为赛门铁克科技有限公司 | 网关负载均衡方法、系统和客户端设备 |
CN102065125A (zh) * | 2010-11-18 | 2011-05-18 | 广州致远电子有限公司 | 一种嵌入式ssl vpn的实现方法 |
CN102223365B (zh) * | 2011-06-03 | 2014-02-12 | 杭州华三通信技术有限公司 | 基于ssl vpn网关集群的用户接入方法及其装置 |
EP2826210B1 (fr) * | 2012-03-14 | 2016-06-29 | Telefonaktiebolaget LM Ericsson (publ) | Procédé pour assurer un traffic prioritisé de qualité de service |
US9660961B2 (en) * | 2013-05-03 | 2017-05-23 | Dell Products L.P. | Virtual desktop accelerator with enhanced bandwidth usage |
US9009461B2 (en) * | 2013-08-14 | 2015-04-14 | Iboss, Inc. | Selectively performing man in the middle decryption |
US9509662B2 (en) * | 2014-09-24 | 2016-11-29 | Microsoft Technology Licensing, Llc | Techniques for providing services to multiple tenants via a shared end-point |
CN105187380A (zh) * | 2015-08-05 | 2015-12-23 | 全球鹰(福建)网络科技有限公司 | 一种安全访问方法及系统 |
-
2016
- 2016-04-18 CN CN201610242556.0A patent/CN107306214B/zh active Active
-
2017
- 2017-04-12 EP EP17785379.3A patent/EP3432523B1/fr active Active
- 2017-04-12 WO PCT/CN2017/080310 patent/WO2017181894A1/fr active Application Filing
-
2018
- 2018-10-18 US US16/164,249 patent/US11165604B2/en active Active
Non-Patent Citations (1)
Title |
---|
None * |
Also Published As
Publication number | Publication date |
---|---|
EP3432523A1 (fr) | 2019-01-23 |
US20190052482A1 (en) | 2019-02-14 |
WO2017181894A1 (fr) | 2017-10-26 |
CN107306214B (zh) | 2020-04-03 |
US11165604B2 (en) | 2021-11-02 |
EP3432523A4 (fr) | 2019-01-23 |
CN107306214A (zh) | 2017-10-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3432523B1 (fr) | Procédé et système pour connecter un terminal a un réseau privé virtuel | |
EP3096497B1 (fr) | Procédé, appareil et système de réseau pour terminal traversant un réseau privé pour communiquer avec un serveur dans un réseau central ims | |
US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
EP1554862B1 (fr) | Gestion de cle de session pour un reseau local sans fil public supportant plusieurs operateurs virtuels | |
US8104082B2 (en) | Virtual security interface | |
CN103188351B (zh) | IPv6环境下IPSec VPN通信业务处理方法与系统 | |
US20010054158A1 (en) | Computer systems, in particular virtual private networks | |
US10454880B2 (en) | IP packet processing method and apparatus, and network system | |
JP2006121510A (ja) | 暗号化通信システム | |
CN114726523B (zh) | 密码应用服务系统和量子安全能力开放平台 | |
CN114844730A (zh) | 一种基于可信隧道技术构建的网络系统 | |
CN114143050B (zh) | 一种视频数据加密系统 | |
US20190281530A1 (en) | X2 service transmission method and network device | |
CN105591748B (zh) | 一种认证方法和装置 | |
JPH1141280A (ja) | 通信システム、vpn中継装置、記録媒体 | |
JP4775154B2 (ja) | 通信システム、端末装置、プログラム、及び、通信方法 | |
KR101329968B1 (ko) | IPSec VPN 장치들 사이의 보안 정책을 결정하기 위한 방법 및 시스템 | |
CN109361684B (zh) | 一种vxlan隧道的动态加密方法和系统 | |
US20080222693A1 (en) | Multiple security groups with common keys on distributed networks | |
WO2016082363A1 (fr) | Procédé et appareil de gestion de données d'utilisateur | |
US20080059788A1 (en) | Secure electronic communications pathway | |
JP5982706B2 (ja) | セキュアトンネリング・プラットフォームシステムならびに方法 | |
JP2011077887A (ja) | パケット転送システム、パケット転送方法、通信装置及びパケット転送プログラム | |
CN114268499B (zh) | 数据传输方法、装置、系统、设备和存储介质 | |
JP2009260847A (ja) | Vpn接続方法、及び通信装置 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20181019 |
|
A4 | Supplementary search report drawn up and despatched |
Effective date: 20181219 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20190730 |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
INTG | Intention to grant announced |
Effective date: 20200527 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: REF Ref document number: 1312939 Country of ref document: AT Kind code of ref document: T Effective date: 20200915 Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602017023430 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG4D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201210 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 1312939 Country of ref document: AT Kind code of ref document: T Effective date: 20200909 |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20200909 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210111 Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210109 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602017023430 Country of ref document: DE |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
26N | No opposition filed |
Effective date: 20210610 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210412 |
|
REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20210430 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210430 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210430 Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210430 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210412 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210109 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20210430 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NL Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20200923 Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: HU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO Effective date: 20170412 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20240229 Year of fee payment: 8 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20240306 Year of fee payment: 8 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20200909 |